AUDITING IN A COMPUTERIZED

ENVIRONMENT
Chapter 7
 Introduction
Information technology throughout the
world has revolutionized and dramatically
changed the manner in which the business is
conducted today. Computerization has a
significant effect on organization control, flow of
document information processing and so on.
 Auditing in a CIS environment even
though has not changed the fundamental nature
of auditing. It has definitely caused substantial
changes in the method of evidence collection
and evaluation. This also requires auditor to
become knowledge about computer
environment (Hardware, software etc.) and keep
pace with rapidly changing technology, even to
the extent of using sophisticated audit software.
 CHARACTERISTICS OF COMPUTER
INFORMATION SYSTEMS (CIS)
• Lack of visible transaction trails
• Consistency of Performance
• Ease of Access to Data and Computer
Programs
• Concentration of duties
• System generated transactions
• Vulnerability of data and program storage
media
 Lack of visible transaction trails
• In a manual system, it is normally possible to
follow a transaction through the system by
examining source documents, entity’s records,
and financial reports.
• In a CIS environment, data can be entered
directly into the computer system without
supporting documents.
 Consistency of Performance
• CIS performs functions exactly as
programmed. It will never get tired
performing the assigned task in exactly the
same manner.
• Because of this, clerical errors that are
normally associated with manual processing
are eliminated.
• But incorrect program for it will result to
consistently erroneous data processing.
Ease of Access to Data and Computer
Programs
• In a CIS environment, data and computer
programs may be accessed and altered by
unauthorized persons leaving no visible
evidence.
• Appropriate controls must be incorporated to
the system to limit the access to the data files
and programs only to authorized personnel.
 Concentration of duties
• Proper segregation of duties is an essential
characteristics of a sound internal control system.
• However, because of the ability of the computer
to process data efficiently, there are functions
that are normally segregated in manual
processing that are combined in a CIS
environment without weakening the internal
control provided appropriate compensating
controls are put in place.
 System generated transactions
• Certain transactions may be initiated by the
CIS itself without the need for an input
document. For example, interest may be
calculated and charged automatically to
customers’ account balances on the basis of
pre-authorized terms contained in a computer
program.
 Vulnerability of data and program
storage media
• In a manual system, the records are written in
ink on substantial paper which is very fragile
in form.
• The situation is completely different in a CIS
environment. The information on the
computer can be easily changed, leaving no
trace of the original content. This change
could happen inadvertently and huge amount
of information can be quickly lost.
Internal Control in a CIS
Environment
 General Controls
1. Organizational controls
2. System development and documentation
controls
3. Access Controls
4. Data recovery controls
5. Monitoring controls
 Organizational controls
• In a manual system, there should be a written
plan of the organization, with clear
assignment of authority and responsibility.
• In a CIS environment, the plan of an
organization for an entity’s computer system
should include segregation between user and
CIS department, and segregation of duties
within the CIS department.
a. Segregation between the CIS department and
user departments.
 CIS department must be independent of all
departments within the entity that provide input
data or that use output generated by the CIS.
b. Segregation of duties within the CIS
department.
 the entity’s organizational structure should
provide for definite lines of authority and
responsibility within the CIS department for good
organizational controls.
Sample of an organizational structure
within the CIS department:
CIS Director

Systems Other
Operations
development Functions

System Computer
Librarian
Analyst Operator

Data Entry Control

Programmer Operator Group
Position Primary Responsibilities
CIS Director Exercises control over the CIS operation.
System Analyst Design new systems, evaluated and
improves existing systems, and prepares
specifications for programmers.
Programmer Guided by the specifications of the
systems analyst, the programmer writes a
program, tests and debugs such programs,
and prepares the computer operating
instructions.
Position Primary Responsibilities
Computer Operator Using the program and detailed operating
instructions prepared by the programmer,
computer operator operates the computer
to process transactions.
Data Entry Operator Prepares and verifies input data for
processing.
Librarian Maintains custody of systems
documentation, programs and files.
Position Primary Responsibilities
Control Group Reviews all input procedures, monitors
computer processing, follow-ups data
processing errors, reviews the
reasonableness of output, and distributes
output to authorized personnel.
 System development and
documentation controls
• Software development as well as changes
thereof must be approved by the appropriate
level of management and the user
department.
• To ensure that computer programs are
functioning as designed, the program must be
tested and modified, if needed, by the user
and CIS department.
 Access Controls
• Every computer system should have adequate
security controls to protect equipment, files
and programs. Access to the computer should
be limited only to operates and other
authorized employees.
 Data recovery controls
• One of the characteristics of the CIS is the
vulnerability of files and programs. Computer
files can be disastrous to an entity. The
survival of an entity affected by such disaster
depends on its ability to recover the files on a
timely basis.
• When magnetic tapes are used, a common
practice in file retention called Grand-father,
father, son practice requires a entity to keep
the two most recent generation of master files
and transaction files in order to permit
reconstruction of master files if needed.
 Monitoring controls
• Are designed to ensure that CIS controls are
working effectively as planned. These include
periodic evaluation of the adequacy and
effectiveness of the overall CIS operations
conducted by persons within or outside the
entity.
 Application Controls
1. Controls over input
2. Controls over processing
3. Controls over output
 1. Controls over input
• Input controls are designed to provide
reasonable assurance that data submitted for
processing are complete, properly authorized
and accurately translated into machine
readable form.
• Examples:
– Key verification
• This requires data to be entered twice to provide assurance
that there are no key entry errors committed.
– Field check
• This ensures that the input data agree with the required field
format.
– Validity check
• Information entered are compared with valid information in
the master file to determine the authenticity of the input.
– Self-checking digit
• This is a mathematically calculated digit which is usually
added to a document number to detect common
transpositional errors in data submitted for processing.
– Limit check
• Or reasonable check is designed to ensure that data
submitted for processing do not exceed a pre-
determined limit or a reasonable amount.
– Control totals
• These are totals computed based on the data
submitted for processing.
 2. Controls over processing
• Processing controls are designed to provide
reasonable assurance that input data are
processed accurately, and that data are not
lost, added, excluded, duplicated or
improperly changed.
 3. Controls over output
• Output controls are designed to provide
reasonable assurance that the results of
processing are complete, accurate and that
these outputs are distributed only to
authorized personnel.
Test of Control in CIS environment
1. Audit around the computer, or
2. Use Computer-Assisted Audit Techniques
 Audit around the computer
• Is similar to testing control in a manual control
structure in that it involves examination of
documents and reports to determine the
reliability of the system.
 Computer-Assisted Audit Techniques
(CAAT’s)
• “white box approach”
• Are computer programs and data which the
auditor uses as part of the audit procedures to
process data of audit significance contained in
an entity’s information systems.
• Includes
– Test data
– Integrated test facility
– Parallel simulation
 1. Test data
• Technique is primarily designed to test the
effectiveness of the internal control
procedures which are incorporated in the
client’s computer program.
 2. Integrated test facility
• Integrates the processing of test data with the
actual processing of ordinary transactions
without management being aware of the
testing process.
 3. Parallel simulation
• Requires the auditor to create test inputs
(data) and process these data using the
client’s computer program; parallel simulation
requires the auditor write a program that
simulates key features or processes of the
program under review.
– Generalized audit software
– Purpose-written programs
• Generalized audit software consists of
generally available computer packages which
have been designed to perform common
audit tasks such as performing or verifying
calculations, summarizing and totalling files,
and reporting in a format specified by the
auditor.
• Purpose-written programs are designed to
perform audit tasks in specific circumstances.
 Other CAAT’s
1. Snapshots
 This technique involves taking a picture of a
transaction as it flows through the computer
systems.
2. Systems control audit review files (SCARF)
 This involves embedding audit software modules
within an application system to provide
continuous monitoring of the system
transactions.